Last updated December 5th, 2023 23:57
WPScan currently reports an active hacking campaign exploiting an unpatched vulnerability in the Ultimate Member plugin. WPScan has discovered that the Ultimate Member plugin has a critical security vulnerability, allowing unauthorized attackers to create new user accounts with administrative privileges. This enables the attacker to take control of the entire website (https://blog.wpscan.com/hacking-campaign-actively-exploiting-ultimate-member-plugin/). The vulnerability is assigned a CVSSv3.1 (Common Vulnerability Scoring System) score of 9.8, indicating its critical nature.
Hosting platforms like WP.cloud and Pressable.com by Automattic have noticed patterns in compromised websites, where unauthorized site administrators were appearing. After further investigation, the platform’s staff found discussions on the WordPress.org support forum regarding a potential privilege escalation vulnerability in the plugin. There were also indications that this vulnerability was actively being exploited.
The Ultimate Member Plugin Has A Critical Security Vulnerability
The developers of the Ultimate Member plugin, which is active on over 200,000 WordPress websites, released a fix relatively quickly. However, according to WPScan, this fix is not entirely sufficient.
“In response to the vulnerability report, the plugin creators swiftly released a new version 2.6.4, intended to address the issue,” said WPScan security researcher Marc Montpas.
“However, upon examining this update, we discovered many ways to bypass the proposed fix, indicating that the problem is still fully exploitable.”
“Furthermore, by monitoring our systems, we have confirmed that attacks using this vulnerability are indeed taking place in real-world environments.”
Currently, version 2.6.6 has been released as the latest update of the Ultimate Member plugin. However, it is still considered vulnerable. WPScan recommends that users deactivate this plugin until the developers properly fix it.
The website is created with care for the included information. I strive to provide high-quality and useful content that helps or inspires others. If you are satisfied with my work and would like to support me, you can do so through simple options.
Subscribe to the Newsletter
Stay informed! Join our newsletter subscription and be the first to receive the latest information directly to your email inbox. Follow updates, exclusive events, and inspiring content, all delivered straight to your email.
